The National Cyber Workforce and Education Strategy has been released and addresses four main areas: federal cyber workforce, national cyber workforce, cyber education and training, and digital awareness. The Office of the National Cyber Director will lay out the strategy’s key pillars, strategic objectives, and next steps, including plans to implement the initiatives called for in the strategy.
>> ANNOUNCER: Please welcome panel moderator Camille Stewart Gloster.
>> CAMILLE STEWART GLOSTER: Good afternoon, everyone. As they said, my name is Camille Stewart Gloster. I am the Deputy National Cyber Director at the White House focused on technology and ecosystem security. And I'm so glad you all have joined us today to learn a little bit about the developing National Cyber Workforce Education and Training Strategy.
The Office of the National Cyber Director organizes national cyber policy around an affirmative vision for a digital ecosystem that is defensible, secure, equitable, aligns with our values and our interests.
In an effort to do that, we released the National Cybersecurity Strategy in March, and in that strategy, we moved towards that affirmative vision. Rather than be responsive to our adversaries, we are focused on how do we get there.
And one of the things called out in that strategy is a focus on cyber workforce, so we’ve been tasked, my team in particular, to focus on building out that strategy. We recognize that this has to be a whole of society endeavor. The federal government owns the smallest piece of making sure that we have a strong cyber workforce.
So, we endeavored to be collaborative not only across the interagency, but with every stakeholder group across the ecosystem to understand the challenge space, the opportunity space, the programs that are working, and where we need to make investments to realize a strong cyber workforce.
That means that we have to invest in people, figure out what skills are needed, and understand what the challenges are of today, but more importantly, of tomorrow.
As the National Cybersecurity Strategy works, we might not need the same number of people focused on endpoint security. We will likely need folks focused on AI and quantum and have security skills woven into that.
So, how do we make sure that we are building out a cyber workforce that can be responsive to the dynamism of an ever changing digital ecosystem? That requires us to focus on the entire flywheel. We need to build broadscale awareness across the American people so that they can have the access and opportunity to even invest in going into a cyber career. We need a strong education and training apparatus to support entry and skilling and maintaining those skills. And we need to invest in the national workforce of which the federal workforce is a unique subset. So, this strategy will focus on that whole group.
And as we engaged with our partners across industry, academia, state, and local governments, the private sector, everything, we learned a few things, a few areas where we had to invest to get this right.
And so, what you'll see in the developing National Cyber Workforce Strategy is four major themes. Ecosystems. Ecosystems are going to be essential to scale and adapt. We have seen in states like North Dakota and Massachusetts or in local communities like San Antonio, a focus on pulling together state and local government, industry, K through 12 education, community colleges, higher education institutions, nonprofits, around a cyber ecosystem and ethos that allows them to not only build awareness and have dinner table conversations around cyber, but also to usher in the next generation of cyber professionals, get them some hands-on training, support the force needs of local governments, industry, nonprofit, smaller organizations that traditionally have been having a hard time getting the support that they need.
So, we need to invest in these ecosystems at the size and scale that's necessary to meet the needs of that local community or that state.
We need to invest in cyber skills, a set of foundational cyber skills. Just like you have to have reading, writing, and arithmetic to be a functional member of society, to best navigate a career in building a life, we believe that there are a set of foundational cyber skills that every American should be equipped with to navigate the technology that shows up in their lives every day, that underpins how they get services, how they connect with family and friends, and how they live their daily lives.
So, we want to really push on how do we create an education and training ecosystem and just an ethos that allows people to have those foundational skills and then layer on top of those so that they can have a cyber career.
So, whether you are a nurse who needs to understand how to protect their clients; data, their patients’ data, or you are a cybersecurity professional who needs a very unique set of cyber skills, we want to build out a spectrum of skills that allows everyone to be proficient online, to be proficient in their technology use.
We also need everyone to be a part of this work. So we need to make some significant investments in diversity, equity, inclusion, and accessibility to mobilize our greatest strength, our people. Cybersecurity is a people issue. Cyber is a people challenge. Cyberspace requires us to understand people.
And so, if we bring our representation to bear on this challenge, we'll yield innovation, we will better understand how technology shows up in the lives of people, and we will be better able to understand the threat landscape.
We also need more people. I know you guys have heard the stats. Whether you have heard 300,000, 700,000 or 3 million, we got jobs, and so we need to bring more people into this industry.
But we also have a narrative problem. We have done a really good job as cybersecurity practitioners in scaring folks. So, the word cybersecurity makes people's brains shut down, makes them feel like the problem is bigger than themselves, and makes them want to opt out. So how do we change the narrative around cyber and cybersecurity such that people see themselves in it, such that they understand that this a multi-disciplinary space where you don't only have to be an engineer, and that there are multiple pathways to get into it.
Whether you take a higher education route or you take a bootcamp, you can find good work in this space. So, we also need to change that narrative.
But like I said, the federal government has the smallest role in this. We are writing this strategy with a call to action for every stakeholder across the ecosystem to come and lead this work. We will support. You tell us what you need and that's kind of the work that's been happening over the last few months in our engagement.
So, what I would like to do today is really explore how all of our partners can be a part of implementation, see their reactions to what the strategy is currently developing into.
And so, I'd like to invite a few of our partners onto the stage for a conversation about the developing strategy. Tara Wisniewski from ISC2, Michael Alicea from Trellix, and Diana Burley from American University.
Thank you all for joining me.
>> SPEAKER: Thank you for having us.
>> CAMILLE STEWART GLOSTER: As you can see, this group represents not all of our stakeholders, but a great sample of some of the partners who will have important roles in strategy implementation and have already played an important role in strategy development.
So, for Diana and Tara, as the USG prepares a strategy to strengthen our cyber workforce, from each of your vantage points, what are the challenges and opportunities of the present moment? And what challenges do you expect we will face as we make new strategic investments?
>> DIANA BURLEY: I will start. So first, thank you for having us. And I think that when we think about the educational enterprise, whether we're talking about K-12 or we're talking about community colleges or higher education, we have the opportunity to dig deeper and to think broader. So, when we talk about preparing professionals, if they are technically oriented cyber security professionals, we have the opportunity to help them develop those other skills. Sometimes we call them soft skills. I think they're the hardest skills. But if we’re talking about critical thinking, if we’re talking about problem solving, communication, translation, we have the opportunity to spread across the curriculum and develop those skills.
And for those who are not going into the very technical roles, we also have the opportunity to spread cybersecurity content across the curriculum to those individuals, whether they are policymakers, future nurses, really any field that you think about, there is a base level of cybersecurity knowledge that all of those individuals need to have, and we have the opportunity to take advantage of this moment to integrate that content into our curriculum across. And so we think that this is a real inflection point because we have developed enough content and enough curriculum at various levels to be able to move to the next phase, which is scaling and spreading across the universities and the educational enterprise.
>> TARA WISNIEWSKI: Fully agreed. I think for ISC2, one of the things that we, you know, we talk about all the time is just the workforce gap. We have an annual study. We want to be a leading voice in calling that out. But also, so that's a nice opportunity. But really, the challenge is what are we doing to drive people into the workforce? How can we attract more? How can we retain? This is something that’s really, really critical to the future because honestly, the workforce gap is just growing and we expect that it’s going to continue to grow.
But I'm going to take the opportunity to talk about the question of what challenges do you expect as we kind of make more strategic investments.
I think that the – this is a moment for true partnership across all of the sectors, meaning education sector, industry, organizations like ISC2, because unless we are starting to work together, we are not going to close the workforce gap. And then more importantly, this morning I had the opportunity to just do a side session where I talked about the increase of just legislation that's coming in the cyber field globally that is actually going to create even more demand than we see today. So, this is the opportunity for industry and nonprofit organizations, training organizations, educational institutions to really work together to solve the problem.
>> CAMILLE STEWART GLOSTER: Yeah, that's a natural articulation of that need for coalition building for ecosystems.
>> TARA WISNIEWSKI: Absolutely.
>> CAMILLE STEWART GLOSTER: Michael, one important piece of feedback we received was around the federal cybersecurity workforce but that is a very small piece of the puzzle. And without an investment in the broader national cyber workforce, there will be no improvement in the cyber workforce landscape.
Accordingly, we made sure to make sure there was a broad look at the entire national cyber workforce. How does the forthcoming strategy address the challenges in hiring and retaining cyber talent as you have observed and experienced them from your vantage point in the private sector?
>> MICHAEL ALICEA: Sure. First of all, thank you for having me. I think, you know, when I look at it, there are a number of issues that we've been dealing with for years. And we all know what they are. We have been talking about them for years. And there is no one single company or entity that actually can resolve this. So, I think what the initiative puts forward is a, for the first timing that I have seen, a wholistic view to address some of these issues for the ecosystem. You have used it in your opening segment but it's so appropriate.
Because in Trellix, those of you who may not know we are, we were formed from the merger of McAfee Enterprise and FireEye. 80% of Fortune 500 companies use our services. And for us, what we saw is that there is no way that we would fill any of our gaps by simply doing what we were doing before.
The nonprofit organizations are just starting up. And imagine if we all could work towards building that ecosystem, that infrastructure up. Because as you said, it starts from K through 12 through, you know, undergraduate, graduate, certification programs.
That doesn't happen. One company can't do it, the federal government can't wave a wand and make that happen. And I think ultimately, some of the things that we've done are really focused on how can we drive what we call soulful work, right, which is work that is good for society but also helps us as a nation be protected. This is an existential threat.
>> CAMILLE STEWART GLOSTER: One of the things that I love about all of these answers is that thread of hope. But in acknowledgement of a number of challenges that we need to address. And so, it really underscores the point that this is a collaborative effort and that we will all need to be engaged on implementation.
All of these panelists got an advance copy of the draft strategy. It is continuing to evolve and continuing to refine. They have given their feedback. They have given their perspectives. And based on that, we are hoping that you can share with the audience where you see yourself, where you see your role, your sector or your stakeholder group, represented in the strategy. How do you envision participating in helping to actualize the vision set forward in that strategy? Are there any particular programs or initiatives that you would like to undertake in doing so?
>> TARA WISNIEWSKI: So, I will go first. So, for us as an organization, we are just thrilled to be at the table, first of all, right, and I think it's really important for all of so many people to be at the table.
And for us as an organization, you know, we have traditionally, for thirty-five years, we have been a credentialing body. But we, a couple of years ago, we kind of kicked it up a notch, responded to an internal challenge from our leadership of, you know, we need to lean in. We need to be an advocate for the profession. We need to raise awareness about these issues, particularly in front of policymakers so that as they are drafting workforce development policies, that they are actually going to do something in the sector.
And so, for us, that is something that I think is, you know, an important role for us to be part of is raising awareness and making sure that we are driving people into the field and making sure also that policymakers understand the challenges.
For us as an organization, last year when we were invited to the White House Summit on the beginning of the workforce strategy, we decided to do something bold there. And at that time, we launch an initiative called One Million Certified In Cybersecurity. It is a new credential that we put out into the market last year. And we are putting out a million training, free training, and free exams for this certification as a way to help build the pipeline. And half of that million is dedicated to people in underserved communities all over the globe.
And so, for us, this is something where we're really excited about. This is – working with the White House has been the platform for us to really move that forward and we will continue to do that. And honestly, we launched it not even a year ago and we've already got 200,000 people through the program. So, we're pretty excited about that.
>> CAMILLE STEWART GLOSTER: Excellent.
>> MICHAEL ALICEA: I guess I will go next. You know, it's interesting because, you know, the way I see us interacting is multi-dimensional.
We have an internal issue, which is, you know, how do we get more folks through our doors. Right? We have an external issue is how do we help support the ecosystem to be able to drive the applicant pool at a greater level? And then we have, you know, what we would again, in the soulful work side of it, how can we make sure that those folks that enter are representative of who we are as a nation and the clients and the customers that we support.
On an – from an internal perspective, one of the first things that we did is take a look at the DNA of how we hire, our workforce planning. We took a look at every job description and we said, does – do you need ten years of experience? Or will five do? Do you need to have a four-year degree? Will a two-year degree or a certification program work? And we started actually working through that and we changed every job description to be able to meet that requirement.
What did that do? That actually gave us a lot more energy. First of all, it gave us an opportunity to clean up our job descriptions so they made sense, right. It is not for organizations in prior years. But it also allowed us to really rethink what we need, that kind of energy we want in our organization.
We then, from an external perspective, started looking out and saying well, what are some easy things that we can do by partnering up with great organizations? We talked about the National Cybersecurity Alliance. It has done some great work with HBCUs. We partnered up with an organization called HACE, Hispanic Alliance for Career Enhancement, where we created an accelerator program. They have 92,000 members. They are Hispanic. It’s a great place to go look. And it is a small amount of funding to actually start this accelerator program that they can go through and we can hire. And guess what? They're going to graduate more than we can absorb and that's better for the industry.
That's why there is no single entity or company that can actually do this. It is in our best interest as a country and as an industry to be able to have multiple vendors involved, both public/private institutions involved because it will, again, they're going to create programs that will be more than they can absorb. Where do they go? Well, they go to other companies that maybe don't have that. So, again, I think the policy itself helps feed that sort of thinking.
And then finally, when we take a look at the folks internally, there are programs like Gotara which is an organization that really focuses on STEM+ skills for women in the workplace, micro learning. What does that mean? That means that you have snippets of learnings and development that you can have that within two weeks, you can put it into practice. Guess what? We had a 93% retention rate for people that went through that program.
And with some of other things that we've done, I hired over a thousand people last year in cybersecurity at Trellix.
>> CAMILLE STEWART GLOSTER: Excellent. That is wonderful.
>> DIANA BURLEY: So, I really see three different ways that the academy, whether we're talking about particular institutions in the academy in higher education or not, but there are three different ways that we participate and can participate in the implementation of the strategy.
The first is through convenings. One of the best things that universities can do is bring people together. We can bring government agencies, private industry, training associations, all of the different stakeholders together to have conversations in a neutral place that allow us to not only bring them together, but bring them together with thought leaders so that we can advance the conversation and share best practices, but sharing best practices in a way that allows us to think through what needs to be adjusted and adapted so that they can work in the different contexts.
The second way that higher education that the academy participates and can participate is through research. One of the key things that we do is helping to understand how to structure the workforce. I have been working in this space for a very long time and in 2018, led a task force on behalf of ACM, the largest computing society in the world, to develop the first set of cybersecurity curricular standards.
What those standards did is allowed us to address the issue that so many customers, whether they are industry members or government agencies, have when they would go to academic institutions to get cybersecurity professionals; they didn't really know what that meant. Right? It meant something different at every institution.
And so, what we have done through our research is to develop a set of guidelines, a framework so that when you go to an institution that says we have a degree program in cybersecurity or fill in the blank of the different type, you have at least an understanding of what the baseline is, what those students know and will be able to do.
And we continue to evolve that. We continue to evolve the way that we help institutions think about not just today's workforce needs, but how to structure for tomorrow, how do you develop people for jobs that don't exist today. We help to develop that research to enable folks to do that.
And then finally, it’s probably the most obvious, and that is by helping to develop the human capital, right? Whether we're talking about folks who are getting advanced degrees, four-year degrees, two-year degrees, or coming in to the workforce straight from high school with certifications.
One of the myths is that academic institutions work individually and don't see ourselves as an ecosystem, but we do in fact, see ourselves is an ecosystem. And we recognize that every different job category has a different need. Has a different need for training. Has a different need for education. And so, wo we work together collaboratively to make sure that we are helping students identify the right pathways so that they can take that curriculum, they can take those courses, and move in.
And finally, there's two pieces in the strategy that really stood out to me that I just have to highlight because I was just thrilled to see them. One is that you will see in the strategy that there is an emphasis on the teachers, on the educators. Oftentimes, we forget that there are people who actually sit between those students and the employers, and those are the educators.
We have to get to a place where we are able to develop opportunities, whether they are classroom based educational opportunities, whether they're things like externships where we partner with industry to put faculty members into engagement so that they understand exactly what it is they are preparing people to be able to do.
And the second is this notion of hands-on skills. And I'm excited. You know, at American University, last week we launched a new institute. And one of the key things about this Institute of Cyber and Economic Security is that we are developing a cyber range not for the technical students, but with simulations for the students who are nontechnical. Who are able to then understand how to put the pieces together, how they fit into the system. And that is something that is directly called for in the strategy is helping people understand their role. Because it is one thing to say we need nurses and firefighters and policemen and everybody to get some cybersecurity based knowledge, but just because we say it, doesn't mean that they'll do it because it doesn't mean that they understand why they should do it.
So, by allowing them to come into this opportunity, to simulate and actually participate, it gives them an understanding of what their roles actually are, why it matters so much, and that then moves them into a better place and allows them to be productive members of the cybersecurity global society in whatever role they choose to take.
>> CAMILLE STEWART GLOSTER: That is such an important point. That engagement, that context is really important for everyone to kind of see themselves in this multi-disciplinary space, especially as we seek to evolve that narrative that I was talking about earlier.
One of the things that I heard in Tara and Michael's comments was a focus on bringing everybody into the work that they're doing. A lot of their initiatives touched on diversity, equity, and inclusion. How would you characterize the benefit of diversity in the cybersecurity workforce? Is it a worthwhile for focused attention amongst stakeholders groups, Diana?
>> DIANA BURLEY: It’s – it’s critical. I mean, when we think about, and I like to put it in the context of the adversaries. Right? The adversaries don’t look like one type of person. They have come from every opportunity, from every part of society. And the only way that we will be able to keep up and keep ahead is to make sure that we have all of those individuals as members of the cybersecurity workforce.
It is important that as a diverse person coming into the room, and I say this as I mentor students and bring people into the workforce, is to say not only are you welcome, but your voice is necessary. It is required. Because you have life experiences, you have opportunities that are different and that brings something new to the table. And so, we have to make sure that your voices are there because together, not to use the RSA slogan, but stronger together truly does mean that together, as we have all of these different groups together, we are able to develop wholistic opportunities to address the threat environment.
>> CAMILLE STEWART GLOSTER: I love that theme. I’m so glad that the – please.
>> MICHAEL ALICEA: Can I add one thing to that? You know, you are so right. But there's a real simple approach which is it's a numbers game. You can't leave 50% of the population out of the workforce. And so, if you ever want to catch up, you said you don't know whether it was 50,000 or 3 million, I think it's 3 million and 1, personally. But the whole point is that when you open your aperture, you are going to get more people in those roles that we need. And while we wait for some of the vendors like Trellix and others to continue to automate, they are never going to be able to automate fast enough to catch up to the need of the workforce.
>> CAMILLE STEWART GLOSTER: Yes, two very important points. Both competitive advantage and a sheer numbers game. I mean, you can't argue with those two.
I would love to hear Michael, actually, how you think the private sector can lean in and contribute to actualizing the vision for the National Cyber Workforce Strategy? You named a lot of the work that Trellix is doing specifically, but if you could give a call to action to your peers, please do.
>> MICHAEL ALICEA: Sure. I mean, I think we, and some of these comments were mentioned by the other panelists. I think the first thing we need to know, that again, no single entity can do this. We all have to participate. That's one.
Two, we have to take a look at how we bring our expertise into the public sector as well. You know, we launched something recently where we developed co-curriculum with St. John's, who has got a cybersecurity school in Queens, New York. And the truth of the matter is that there are so many companies that have such great expertise, who are people that want to give back. And this is an opportunity for them to do that.
I think the third thing is I look at not only the expertise that we have that we can bring forward, but we have tools. So, I'm going to give you an example of something that I saw – I won't mention the school – but I will tell you I went to a school and it broke my heart.
I went to a school and I had just spent millions of dollars creating a cybersecurity school. And you go into, you know, they did a mockup of a SecOps sort of setup. And I have been to quite a few of those. And this was beautiful. Had brand-new computers, brand-new – everybody was sitting behind a desk. But I noticed one thing, that the tools that they were using were actually not real tools. They were mockups of what someone considered a SecOps organization would have. So, to me, that’s another place where the private sector can really help. Let's donate some of our tools.
And it actually doesn't matter which vendor you would use, although I would want you to use Trellix tools. But it doesn’t actually matter. Let them use tools that are actually live tools. And then combining that with our experts to say this is what happens, this is how you resolve it, or this is how you can mitigate it. And by the way, this is how adversaries are thinking about it.
So, I think it's that engagement in the private – from the public to the private, as well as engagement on a personal level, make it something which is soulful and we're giving back.
And then finally, one last point is again, as we think of the ecosystem, I think what this initiative does which I really found really great is that it provided a framework for all of us to do this almost in a noncompetitive way, right? If we band together, we are stronger together, we'll get there together.
>> CAMILLE STEWART GLOSTER: One of the things that I really like that your answer illustrates is the fact that that collaboration, that ecosystem model allows academia to be responsive to the needs of industry and to the employers, right? That is an important linkage that comes from that ecosystem model. As well as that kind of hands-on experience is essential to being proficient and having the skills needed to be successful when you enter the workforce.
So, one of the things that I think is really important is our role, the federal government's role, in incentivizing this work. So Tara, Diana, Michael, if you have thoughts as well, how best can we incentivize active participation in the implementation of the actions outlined in the strategy?
>> TARA WISNIEWSKI: So, I think that, you know, aside from the obvious ones, right, of making sure that there is funding and, you know, all of the things that need to run these kind of initiatives, but for me, one thing that I think is really great about the strategy is it really does call the ecosystem to task. And I think that in calling the ecosystem to task, the federal government also needs to stay in that convener role and in that leadership role and really making sure that as the strategy activates and as the strategy comes to life, that groups like ONCD are really kind of pushing everyone along.
Because I think that, you know, and we fully agree, I fully agree with Michael, that everyone has to come to the table. And even – I even think that we need to push ourselves beyond. We need to find innovative strategies for workforce development in a way that we have not in the past because there – what we have been doing isn't working. And so, we need to even create innovation within that ecosystem. And I think the – I do think that the White House's role to play here in really keeping us to that fire but also keeping the whole community there. And the only way it is going to do that is if it stays as present as it is, in the driver's seat, and really, really continuing to be that voice. Because unless we start to call all of the actors together and all of the ecosystem and keep ourselves accountable to each other, we're not going to change anything. And I think that one of the things that even in prep for this panel that our colleague said to some of us was, you know, where is the light bulb moment? Right? Where is that light bulb moment? And I think that we have to drive to the light bulb moment in order to really kind of move the needle in a meaningful way.
>> CAMILLE STEWART GLOSTER: Yes. I love that. Anyone else have thoughts?
>> DIANA BURLEY: And I would add that, because I agree with everything that Tara has said, that I would also add that the gravitas of the White House recognizing that this is a whole of nation effort, that this is a national security issue, also helps to push people forward.
So, in the academic space, school districts don't control themselves. Universities don't control themselves. There is some other entity out there that is actually setting the framework, setting the guidelines for what we do and how we do it. And so, in the K-12 space, it is the state legislatures that determine what content needs to be in those schools. And so, the White House being able to help push this narrative and push an understanding with the state level government entities allows us to get some traction to move things forward.
The same is true for higher education. The White House coming in and helping us to speak to the accreditation bodies, that's how we then are able to move the needle so that we can create space in the curriculum to do some of the content additions and innovations that we know need to happen.
And then third, it also helps to drive this notion of whole of nation means collaboration across the sectors. Right? And it gives us the opportunity to think about collaboration in a different way, in a way that perhaps we haven't leveraged before but is much more integrated and thus more powerful and effective.
>> MICHAEL ALICEA: I would just add that, you know, from an incentive perspective, from the private sector, I'm going to operate in the best interest of the organization. So, I don't know that I need any more incentive to do these things, because I need to hire people. They need to do things that allow us to create capabilities and services that we sell.
But what I do find is that there are nonprofits, schools that do need funding. And the way I think about it, it would be great to have either matching funding or something that says for every dollar that you get from the private sector, you know, you will get one so that we can enhance the programs.
So, again for me, I'll say okay, this is how much money I have. I can fund ten people in the accelerator program. But if the federal government or there was some tax credit or some way to say, guess what, we're going to give you some extra funding and they go to fifteen, I'm not going to hire the extra five but there is another organization that will and we're building those capabilities. That's what I mean by really expanding this going forward.
>> CAMILLE STEWART GLOSTER: Yeah. I mean, a big part of this too will just be getting our workforce in order. We will be investing heavily in figuring out what pathways will allow people to move more seamlessly between public sector and private sector because folks' desire to evolve their careers in new and different ways, not ride the ladder up but be able to move laterally and across sectors, across industries is ever increasing. So, we want to make sure we are doing that.
We are thinking about how we can make sure that the federal workforce is a place to cultivate talent that then feeds the broader ecosystem. But I think that funding piece is a good one because it actually illustrates, again, the importance of the ecosystem.
One of the things we’re finding, the National Science Foundation has money. If you didn’t know that, they do have money for things like this, right? But they are actually saying, even if you gave me 50 million more dollars, these schools do not have the staff to be able to support building out the programs you say you need so that we could help get the talent into the jobs.
And so, the reason the ecosystem is so important is because I'm hoping Michael, I’m hoping Tara, I’m hoping Diana will volunteer in K through 12 institutions or to be an adjunct, to help bridge the gap on having the talent to teach so that we can get folks out into the industry as a staff gap or maybe as a permanent fixture in the academic ecosystem to then allow us to continue to give the funding so that these programs can be more vested and built out.
And so, I mean, I think those are really important points to illustrate just how important it is, that collaboration piece. And the federal government, all of the agencies across the federal government will be partners in doing just that because we have some really big needs as well.
Tara, ISC recently released a cybersecurity workforce study, noting a critical need for cybersecurity professionals persists amidst a year of cultural and workplace evolution.
>> TARA WISNIEWSKI: Yes.
>> CAMILLE STEWART GLOSTER: This study surveyed nearly 12,000 international practitioners for their perspectives on nearly every facet of workforce participation, including hiring, recruiting, culture and job satisfaction, career pathways, and professional development. How is the data you collected instructive for organizations? What actions can organizations take to retain and support employees’ career growth?
>> TARA WISNIEWSKI: So, great question. Thank you so much. And we really do, as an organization, we think about the workforce in so many different ways and really kind of come at it with a real 360 view. So, in that research that Camille has just referenced, there was some really key, really interesting things that kind of came to light.
First of all, and I think Michael's already hinted at it a little bit, we have a lot to do to educate our hiring managers. There is a lot of work to do in just the art of talent acquisition. Because there are so many people who, because, and Camille said it in her opening, right, you kind of – you say cybersecurity and people kind of shut down. But we – that frontline needs to understand much better what exactly security teams need, what that looks like. And even things like do you really need ten years? Do you really need that?
We also see very often, you know, we are – we produce the CISSP and we see – which has a five-year experience requirement, but we see that on entry level jobs all the time. And so, we even as an organization want to do more in terms of that. So, hiring managers, really important.
The other thing that is really important, and this is something that I, in my reading of the strategy, is so consistent throughout that I think is important, we've already touched on it, is really fostering a diverse and inclusive workforce. Because in fostering a diverse and inclusive workforce, you have better retention, you have happier teams, you have less burnout, and therefore, your organization cannot only move the needle but it’s also a more agile cyber team. Right? It’s a team that can do more. It can be more nuanced and really be able to respond to threats in a really efficient and successful way.
So for us, you know, those are really key things that we find. We do think that those kind of regular conversations with that – with industry, with hiring managers becomes really, really important.
And the other piece that this wasn't necessarily in the research but is something that Diana said that really kind of prompted, it also is in the ecosystem of bringing professionals who are in the field into the classroom in a meaningful way. And so, we hear from our members all the time that they spend a lot of time as adjuncts in community colleges because community colleges are focused on employability and it helps them build their network in order to create that talent pipeline for their own organizations.
So again, that kind of brings me back to my whole, you know, one of my newest soapboxes lately is just not only do we need to kind of be part of this ecosystem, but we need innovation in the way that we look at this workforce challenge.
>> CAMILLE STEWART GLOSTER: I love the way that you ended that. As we think about innovation, in what ways does the strategy set forth novel or different approaches to bolstering the cyber workforce, whether that's federal or national, across the ecosystem?
>> TARA WISNIEWSKI: So, I – first of all, the fact that there is a strategy is really important. And again, this strategy, as I think, that the National Strategy is bold for strategies. And that boldness becomes important, right? And so, I think there is a lot of – it is novel in that way.
Again, it is call out to organizations. Call out to the ecosystem. Call out to all of us who matter is also I think really powerful. And to Diana's point about the gravitas of the White House should not be – we don't want the White House to forget that.
>> CAMILLE STEWART GLOSTER: We're committed.
>> MICHAEL ALICEA: It’s funny. You know, we talk about this concept of novel. We have been talking about it for ten years. The novel thing about it is that there is an alignment around it. And when you talk about ecosystem, it's not some amorphous thing. It is get them early, get them often. That helps the industry as a whole in the future. Maybe they won't go into cybersecurity but we'll have a more secure nation. So, that's one. And that's novel because I haven't seen that before in any other sort of initiative.
I think the second thing is this concept of how do you bring all these constituents together. And it is almost as if you are giving us – I know it sounds funny, but you are giving us permission to talk to each other. So, if you are out there, you are a CHRO, and you want some of the contacts that I have that we've been working with on security issues, on accelerator programs, I'm not hoarding this information. Reach out to me. I will send it to you. I will gladly provide an introduction because it helps all of us.
>> CAMILLE STEWART GLOSTER: Yeah, that collaboration and information sharing is something we have seen a lot and we definitely want to foster. Diana?
>> DIANA BURLEY: I would focus on a couple of things. One is, to Michael's point about raising up the general citizenry, I think that one of the innovative pieces in the strategy is that when there is discussion about education, it is broader than those who will be the tip of sphere, people in the cybersecurity workforce. And by being broad like that, it does allow us to elevate the whole of nation. Right? All of our citizens move up to a particular baseline that makes us all safer and more secure.
And the other pieces is that the strategy, you know, you say ecosystem and that becomes almost like a buzzword that people say, well, what do they really mean or what is it? I think that when people read the strategy, you will see that there are – there are many, many different touch points for the different sectors to come together.
So, when we talk about being able to have more meaningful relationships between industry and academia or training associations and academia, it is not just do this one thing. Right? There is this one strategy. But it is almost like a portfolio of different ways that we can begin working together, recognizing that yes, there is already some collaboration, but this allows us to take it up a notch. And in that moving forward and having all of these different opportunities, we come together and we can cocreate and innovate in a new way.
And so, it is almost like the strategy on the one hand, there are innovative tactics in there, but on the other hand, it also provides the foundation for innovation to continue and for innovation to continue amongst the stakeholders. And that's really what's key because this field constantly evolves and there is no strategy that if it didn't have that framework, it wouldn't continue to be relevant. But the fact that the framework is in there, it allows us to know this is going to continue to help us even as the field continues to evolve.
>> CAMILLE STEWART GLOSTER: I'm glad it's doing that.
One of the things that I hope that you guys hear in this is really is that call to action for you to see your gripes reflected in this strategy, to see your challenges reflected in this strategy, and then some solutions and mechanisms to convene and that framework that Diana talked about to come together around realizing a vision for a really strong cyber workforce that has the agility to meet the dynamism of a changing digital ecosystem and a changing set of needs by our employers.
When this strategy comes out, I really, really encourage you all to engage us with directly, to engage with each other, and to feel ownership of driving the actions that are in it forward. We cannot do this alone. And as much as we even convene or provide funding, you actually have to apply for the grant. You have to build the program that we can then evangelize on your behalf. And so, I'm really hoping that every person in this audience feels ownership of this strategy because we have worked really hard to try to make sure that it is a reflection of your needs, desires, and a future where you are getting exactly what you need to meet the challenge.
This is not only a national security imperative. It is an economic prosperity imperative. It is an individual human security imperative. It is integral to our democracy. And quite frankly, one of the things that you will see in there is we recognize the interconnectedness of our society with our global partners. There is some international work in there as well.
We hope that this strategy is a good launchpad because we didn't want to focus on just the federal workforce. That is a small piece of a bigger puzzle. It must be that entire flywheel of stakeholders and that entire viewpoint. We hope that you will engage as we continue to move forward on this.
So, thank you for joining us today. And thank you to the panelists for their insights and their expertise.
>> DIANA BURLEY: Thank you.
>> MICHAEL ALICEA: Thank you.
Deputy National Cyber Director Technology and Ecosystem Security (TES), White House Office of the National Cyber Director
Share With Your Community